It seems the Python Software Foundation needs some help with a company in the UK that is trying to trademark the word "Python" for "software, servers, services… pretty much anything having to do with a computer".

So here, for the record, is our statement.

We at F-Secure use Python extensively in our organization, mainly on the back end and for internal tooling, but it's ubiquitous in our R&D work, and we encourage all our developers to embrace Python (in the fairly unlikely event that they are not already enthusiastic about it). To the best of our knowledge, our company is representative of the technology industry in Europe in general in this respect; apart from very specialized niche companies, everybody is using Python, and it would seem preposterousoutrageousinsane unfair to grant this trademark to anybody except the legitimate holder of the intellectual property rights for the Python programming language.

Let's do some more searches. Here's what you'll get from apple.com when you search for "security updates":

Marketing material. Typical. Oh, support info is on the right-hand side. Alright, fair enough then, security is a support issue.

Here's what you'll get from apple.com/support/ when you search for "security updates":

The top result is from December of last year, and there are even older results below. But there does seem to be a mention of security updates inside the text. Opening the article finally links you to an index: Apple security updates.

The index shouldn't be so difficult to find. And it's kind of sad it needs to be in quotes to actually show up in the search results.

To be very frank, this advice was already behind the times when it was written in July 2012:

You just might want to get somebody to update that article with a mention of "exploits" and "drive-by attacks" and "watering holes" and… oh, you know, relevant stuff.

Look, here's the thing. Eleven years ago, Internet worms smacked around Windows so much — it ended up being a real wake up call. At which point, Microsoft made a big, and successful, effort to change its security culture.

But Apple?

Here's your corporate line:

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

Here's the problem.

Apple not only refuses to confirm issues "until" patches are available — it doesn't even discuss them after the fact.

And why is that a problem?

Because we don't live in an era of Internet worms anymore. This is an era of Internet hacks! And information is valuable in that it allows for organizations with a large Mac user base to make informed threat assessments.

And the more Apple shares with the community, the better off everybody will be.

So please, consider making a change in Apple's culture of secrecy and denial.

You have talented, and friendly, security response analysts working for you. Why not highlight their efforts? Consider putting them front and center and applaud them for their good work. Own this problem, get in front of it.

By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.

From 2004 to 2008: Attacks shifted from Windows to Office.

2004, August — Windows XP Service Pack 2 was released.

2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.

2005, June — The initial release of Microsoft Update.

Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.

Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."

So, how is the sample related? On February 15th, Mac malware samples were shared via a "Mac malware" mailing list. In the follow up discussion, two file hashes were shared, one of which is available via VirusTotal. And that sample turned out to be a Java exploit that drops a Windows backdoor. Brod analyzed the backdoor (detected as Trojan.Generic.8282738) and discovered that it attempts to connect to digitalinsight-ltd.com, one of the sinkholed C&Cs related to Friday's Mac malware.

Our generic detection, Exploit:Java/Majava.B, is used by our cross-platform antivirus scanning engine, so our Windows customers are protected, too. Our thanks to the analyst who shared the file hash (she knows who she is).

The hacks related to Apple involve a lot of complexities. Let's review the time line:

February 1st: Twitter's Director of Information Security, Bob Lord, posted "Keeping our users secure" on Twitter's blog. On a Friday. The weekend of the NFL's Super Bowl. Lord explained that Twitter had been hacked, and that 250,000 accounts have had their passwords reset as a result. Lord advised people to disable Java's browser plugin.

February 1st: The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) issues Alert (TA13-032A) warning of multiple vulnerabilities in Oracle Java.

February 4th: Monday. We asked contacts at Apple: Based on Lord's post, we suspect a Mac payload, do you have any samples that you are allowed to share with us? The reply: "Twitter has not shared any samples with us."

February 7th: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier) ahead of schedule because of "active exploitation in the wild" of one of the vulnerabilities addressed.

February 7th: Adobe published a security bulletin for Adobe Flash Player. From the bulletin: "Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform…".

February 15th: Facebook's security team posted "Protecting People On Facebook" on its Page. On a Friday. Just before a three-day weekend in the United States. The security team explained that some Facebook employee "laptops" have been hacked via a Java exploit.

February 15th: Mac samples (bookdoors) are shared with an AV mailing list.

February 18th: our Helsinki-based Mac analyst, Brod, examines the bookdoors. We quickly determine that all of the related C&C's are sinkholed by The Shadowserver Foundation. Other recent Mac backdoors, targeting Uyghur people, have not been sinkholed in this manner. To us, this indicates that the backdoors are part of a law enforcement investigation. Knowing that Chief Security Officer Joe Sullivan is a former U.S. Attorney (federal prosecutor), we suspect a connection to Facebook.

February 19th: Reuters breaks the news that Apple employees were also hacked via a Java exploit. According to Reuters, "a person briefed on the case said that hundreds of companies, including defense contractors, had been infected with the same malicious software."

February 19th: Oracle releases a "special" critical patch update for Java (JRE 7 Update 13 and earlier) which includes all of the fixes from February 1st, " plus an additional five fixes which had been previously planned for delivery."

February 20th: Ian Sefferman, an administrator at iPhoneDevSDK writes that prior AllThingsD's article, "we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."

Q: Adobe reported in the wild attacks on websites targeting Flash. Those attacks appear to be targeting defense contractors. Where are those watering holes located?

Q: How many companies were affected?

Q: How many unique connections have been made to Shadowserver's sinkhole?

Q: How long has this type of thing been going on? Apple began removing old versions of Java from Macs when people updated OS X in October 2012. Was that a proactive… or reactive decision? How many times has Apple been compromised?

Considerations

Macs have something like a 15% market share in the real-world. Such market share equals a relatively low motivation for bad guys to develop bulk commoditized "malware as a service" which targets average Mac owning consumers. Folks who use Macs for home are as relatively secure today as they were yesterday, and as such, they probably have a reasonable sense of security.

But in the "developer world", Macs have a much higher percentage of market share. (In Silicon Valley we'd guesstimate it's probably the inverse of the real-world: 85%.) As such, there is relatively high motivation for bad guys to develop "sophisticated" attacks that incorporate Mac-based payloads. Folks who use their Macs for work should not have the same sense of security as home users. Clearly, work-based Macs are more of a target and expectations of security should scale to match the threat level.

Developers assuming a "15%" motivation of attack — aren't paranoid enough — and are operating with a false sense of security. It's time for businesses and organizations to reassess.

At the very least, developers and other professionals should segment work (with access to production back ends) and play into separate virtual machines if not separate hardware.

Yesterday's post generated some feedback along the lines of "interesting theory". But here's the deal, that other companies were hacked is not a theory — it's a fact. Facebook's Chief Security Officer, Joe Sullivan, said so himself in an interview with Ars Technica.

According to Sullivan, Facebook's security team worked with a third-party to sinkhole the attacker's server — and they discovered traffic coming from several other companies.

These are the domains associated with the Mac malware we wrote about yesterday:

• corp-aapl.com • cloudbox-storage.com • digitalinsight-ltd.com

They're all currently pointing to shadowserver.org. And that would be the third-party sinkhole mentioned by Sullivan.

So we ask the question again, just how many other mobile application developers took a drink from the watering hole that nailed Twitter & Facebook? Does "several other companies" mean only a handful of unique connections were made to the sinkhole? Or does it mean Facebook has only been able to identify "several" out of many more connections?

We would like to know: in total, how many unique connections have been made to Shadowserver's sinkhole?

Friday, February 1st: Twitter announced it was hacked. The post (Keeping our users secure) by Bob Lord, Director of Information Security, was sparse on details but recommended disabling Java's browser plugin.

And according to Lord, the attackers "were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Friday, February 15th: Facebook announced it was hacked. According to the Security Team's note (Protecting People On Facebook), a handful of employees visited a compromised website hosting a Java "exploit which then allowed malware to be installed on these employee laptops."

So, disable Java's browser plugin by default, and only enable it when you really need to do so. But we already knew that, didn't we?

And while everybody else is bashing Oracle, we have a more interesting question: what malware on what type of laptop?

Why? Because Macs are the type of laptop we almost aways see in Facebook's employee photos.

As we've already speculated on February 4th, an exploit opens the door — what walked through that door and onto the hip young Silicon Valley developer's MacBook?

Well, interestingly enough, last Friday evening, we received (via a mailing list) new Mac malware samples to analyze. Samples that were uploaded to VirusTotal on January 31st, one day before Twitter's announcement.

One type of sample are custom compiled SSH daemons which we suspect are very likely dropped by an exploit. The others aren't actually "samples" insofar as they aren't binaries, they're one line of program (Perl) which runs at startup and opens a reverse shell.

The URLs used include: a misspelling of "Apple Corp"; something that sounds like a digital consulting company; and something that pretends to be a cloud storage service.

Okay, so there's a Mac threat out there and most Mac users are completely unaware of it. They have a false sense of security. That's bad, right? But that's not even the worst of it when you really consider all of the details. What was the compromised website which hosted the Java exploit? According to Facebook's note, it was a mobile developer website!

As in… can't hack mobile devices? Okay then, go up stream and hack mobile application developers. At which point you can inject whatever you want into the developer's source code.

Twitter and Facebook obviously have dedicated security teams on the lookout for trouble. (They're big targets.) Unfortunately, other smaller Silicon Valley startups (with big user bases) don't have the same resources. At this point, we really hope somebody has been in touch with the folks at WhatsApp, which according to Google Play, has at least 100 million installations.

There are hundreds of thousands if not millions of mobile apps in the world. How many of the apps' developers do you think have visited a mobile developer website recently? With a Mac… and a very false sense of security?

We'll all be very lucky if this watering hole was only really trying to target big players such as Twitter and Facebook. On the other hand, if the campaign had a broader goal of hacking as many developers as possible — it really calls into question current bring your own device policies. BYOD = Bring your own destruction?

Advice

SSH daemon compromised systems will have one of the following:

• com.apple.cupsd.plist • com.apple.cups.plist

Perl compromised systems will have one of the following:

• com.apple.cocoa.plist • com.apple.env.plist

Any developer who has Java enabled in his browser, has visited mobile developer websites in the last couple of months, and finds evidence his computer is compromised — probably should use his source code versioning system to check recent commits.

And if you don't use a source code version system (such as SVN or Git), have fun re-reading your entire code base.

Edited to add: And it should almost go without saying that developers using Windows should practice the same vigilance.

Spanish Police and Europol did a major bust today, arresting several persons connected to the well-known "Police" ransom trojans.

We've covered these ransom trojan families on our blog before, but in a nutshell, they lock up an infected PC, claiming to be the local police and demanding the victim to pay a "fine" to open up the system.

All in all, 11 people were arrested and six premises were searched.

Here's an arrest video released by Spanish Brigada de Investigación Tecnológica de la Policía Nacional.

Note the use of Cellebrite devices to take forensic images of suspect mobile phones (at around 2 minutes into the video).

Congratulations to Spanish Police and EC3. This bust must have felt good, as the brands of both have been misused by police trojans (see the below snippet taken from a screen displayed by a trojan):

Most people are aware of identity theft these days, and that it's a relatively easy way for criminal types to make money (by accessing credit). But we've wondered, at what point does it become easier to fake, rather than to steal identities?

The defendants are alleged to have used thousands of fake identities, documents, and companies to get tens of thousands of credit cards. And they cashed out two hundred million dollars.

Our favorite detail?

"Law enforcement discovered approximately $70,000 in cash in the oven of one defendant."

Guess the freezer was full…

Prediction: as more of our personal identity becomes digital, and as schemes such as the one above become more common — we'll spend less time protecting our identity than we will trying to prove it isn't fake.

What's been demanding our attention in the second half of 2012? Discover the answer to that question in our H2 2012 Threat Report! It pretty much sums up all the important cases we've seen from July to December of 2012. Whet your appetite with short articles on passwords and corporate espionage, and then move on to the case studies on the following:

Correction (8 Feb 2013): The H2 2012 Threat Report was updated to amend the following statement in the ZeroAccess article: "A successful installation in the United States will net the highest payout, with the gang willing to pay USD 500 to 1,000 per installation in that location." The sentence was corrected to "[...] to pay USD 500 per 1,000 installations in that location."

If we were to speculate, we'd guess a developer at Twitter fell victim to a targeted attack which used a Java exploit. And being a hip Silicon Valley company, the developer probably uses a Mac. And that of course means the Java exploit dropped a Mac-based payload.